Sticky Bit Tips

Linux Tips by Burleson Consulting

The sticky bit is used for shared directories to prevent users from
renaming or deleting each others? files. The only users who can rename or
delete files in directories with the sticky bit set are the file owner, the
directory owner, or the super-user (root). The sticky bit is represented by the
letter t in the last position of the other permissions display.

SUID

Set user ID, is used on executable files to allow the
executable to be run as the file owner of the executable rather than as the user
logged into the system.

SUID can also be used on a directory to change the
ownership of files created in or moved to that directory to be owned by the
directory owner rather than the user who created it.

SGID

Set group ID, used on executable files to allow the file
to be run as if logged into the group (like SUID but uses file group
permissions).

SGID can also be used on a directory so that every file
created in that directory will have the directory group owner rather than the
group owner of the user creating the file.

Table 6.3: Special permission mode settings and their
descriptions

The following example displays the SUID permission mode
that is set on the passwd command, indicated by the letter s in the last
position of the user permission display. Users would like to be able to change
their own passwords instead of having to ask the System Administrator to do it
for them. Since changing a password involves updating the /etc/passwd file
which is owned by root and protected from modification by any other user, the
passwd command must be executed as the root user.

The which command will be used to find the full path
name for the passwd command, then the attributes of the passwd command will be
listed, showing the SUID permission(s).

Here we see not only that the SUID permissions are set
up on the passwd command but also that the command is owned by the root user.
These two factors tell us that the passwd command will run with the permissions
of root regardless of who executes it.

These special modes can be very helpful on multi-user
systems. To set or unset the sticky bit use the the t option with the chmod
command. When setting the sticky bit we do not have to specify if it is for
user, group or other. In the following example we will make a directory called
public which anyone can write to but we'll use the sticky bit to make sure only
the file owners can remove their own files.

We see that the last character of the permissions string
has a t indicating the sticky bit has been set. We could also prepend the
number 1 to the chmod command using the number to achieve the same results. The
following chmod command will accomplish the same thing as the two chmod commands
in the last example:

Now let's say we instead want to make a directory which
other users can copy files but which we want the files to instantly become owned
by our username and group. This is where the SUID and SGID options come in.

Now anyone can move files to this directory but upon
creation in drop_box they will become owned by tclark and the group authors.
This example also illustrates how you can change multiple levels of permissions
with a single command by separating them with a comma. Just like with the other
permissions this could have been simplified into one command using the SUID and
SGID numeric values (4 and 2 respectively.) Since we are changing both in this
case we use 6 as the first value for the chmod command.

Chmod and sticky bits

There are a few special permission mode settings that are
worthy of noting. Note that the Set UID and Set
GID permissions are disabled in some operating systems for
security reasons.

Mode

Description

Sticky bit

Used for shared directories to prevent users from
renaming or deleting each others? files. The only users
who can rename or delete files in directories with the
sticky bit set are the file owner, the directory owner,
or the super-user (root). The sticky bit is represented
by the letter t in the last position of the other
permissions display.

SUID

Set user ID, used on executable files to allow the
executable to be run as the file owner of the executable
rather than as the user logged into the system.
SUID can also be used on a directory to change the
ownership of files created in or moved to that directory
to be owned by the directory owner rather than the user
who created it.

SGID

Set group ID, used on executable files to allow the
file to be run as if logged into the group (like SUID
but uses file group permissions).
SGID can also be used on a directory so that every file
created in that directory will have the directory group
owner rather than the group owner of the user creating
the file.

The following example displays the SUID permission mode that
is set on the passwd command, indicated by the letter s in the
last position of the user permission display. Users would like
to be able to change their own passwords instead of having to
ask the System Administrator to do it for them. Since changing a
password involves updating the /etc/passwd file which is owned
by root and protected from modification by any other user, the
passwd command must be executed as the root user.

The which command will be used to find the full path name for
the passwd command, then the attributes of the passwd command
will be listed, showing the SUID permission(s).

Here we see not only that the SUID permissions are set up on
the passwd command but also that the command is owned by the
root user. These two factors tell us that the passwd command
will run with the permissions of root regardless of who executes
it.

These special modes can be very helpful on multi-user
systems. To set or unset the sticky bit use the the t option
with the chmod command. When setting the sticky bit we do not
have to specify if it is for user, group or other. In the
following example we will make a directory called public which
anyone can write to but we?ll use the sticky bit to make sure
only the file owners can remove their own files.

We see that the last character of the permissions string has
a t indicating the sticky bit has been set. We could also prefix
the number 1 to the chmod command using the number to achieve
the same results. The following chmod command will accomplish
the same thing as the two chmod commands in the last example:

Now let?s say we instead want to make a directory which other
users can copy files but which we want the files to instantly
become owned by our username and group. This is where the SUID
and SGID options come in.

Now anyone can move files to this directory but upon creation
in drop_box they will become owned by tclark and the group
authors. This example also illustrates how you can change
multiple levels of permissions with a single command by
separating them with a comma. Just like with the other
permissions this could have been simplified into one command
using the SUID and SGID numeric values (4 and 2 respectively.)
Since we are changing both in this case we use 6 as the first
value for the chmod command.

Note:This Oracle
documentation was created as a support and Oracle training reference for use by our
DBA performance tuning consulting professionals.
Feel free to ask questions on our
Oracle forum.

Verify
experience!Anyone
considering using the services of an Oracle support expert should
independently investigate their credentials and experience, and not rely on
advertisements and self-proclaimed expertise. All legitimate Oracle experts
publish
their Oracle
qualifications.

Errata? Oracle technology is changing and we
strive to update our BC Oracle support information. If you find an error
or have a suggestion for improving our content, we would appreciate your
feedback. Just e-mail:
and include the URL for the page.